3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Turla

Turla

ID: 019abd9f3ed516d87569e282dc9cb5cf23899
Cybercrime State-Sponsored
Threat types: Malware, Espionage, Intrusion
Russia
Updated: 2026-01-13
Created: 2025-10-20
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone:
Aliases Limited alias preview
Snake Venomous Bear
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos. Ref: https://attack.mitre.org/groups/G0010/


Technique Technique name Tactics Evidence
T1016.001 Internet Connection Discovery TA0007
  • Internet Connection Discovery - Turla has used tracert to check internet connectivity. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • Remote Services: SMB/Windows Admin Shares - Turla used net use commands to connect to lateral systems within a network. · ref
T1027.005 Indicator Removal from Tools TA0005
  • Obfuscated Files or Information: Indicator Removal from Tools - Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe. · ref
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads. · ref
T1027.011 Fileless Storage TA0005
  • Obfuscated Files or Information: Fileless Storage - Turla has used the Registry to store encrypted and encoded payloads. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Turla has named components of LunarWeb to mimic Zabbix agent logs. · ref
T1055.001 Dynamic-link Library Injection TA0004 TA0005
  • Dynamic-link Library Injection - Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject. Turla has also used PowerShell scripts to load and execute malware in memory. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Turla RPC backdoors have used cmd.exe to execute commands. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Turla has used VBS scripts throughout its operations. · ref
T1059.006 Python TA0002
  • Command and Scripting Interpreter: Python - Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads. · ref
T1059.007 JavaScript TA0002
  • Command and Scripting Interpreter: JavaScript - Turla has used various JavaScript-based backdoors. · ref
T1069.001 Local Groups TA0007
  • Permission Groups Discovery: Local Groups - Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group. · ref
T1069.002 Domain Groups TA0007
  • Permission Groups Discovery: Domain Groups - Turla has used net group "Domain Admins" /domain to identify domain administrators. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Turla has used HTTP and HTTPS for C2 communications. · ref
T1071.003 Mail Protocols TA0011
  • Application Layer Protocol: Mail Protocols - Turla has used multiple backdoors which communicate with a C2 server via email attachments. · ref
T1078.003 Local Accounts TA0001 TA0003 TA0004 TA0005
  • Valid Accounts: Local Accounts - Turla has abused local accounts that have the same password across the victim’s network. · ref
T1087.001 Local Account TA0007
  • Account Discovery: Local Account - Turla has used net user to enumerate local accounts on the system. · ref
T1087.002 Domain Account TA0007
  • Account Discovery: Domain Account - Turla has used net user /domain to enumerate domain accounts. · ref
T1090.001 Internal Proxy TA0011
  • Internal Proxy - Turla has compromised internal network systems to act as a proxy to forward traffic to C2. · ref
T1102.002 Bidirectional Communication TA0011
  • Bidirectional Communication - A Turla JavaScript backdoor has used Google Apps Script as its C2 server. · ref
T1134.002 Create Process with Token TA0004 TA0005
  • Access Token Manipulation: Create Process with Token - Turla RPC backdoors can impersonate or steal process tokens before executing commands. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Turla has used spearphishing via a link to get users to download and run their malware. · ref
T1518.001 Security Software Discovery TA0007
  • Software Discovery: Security Software Discovery - Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected. · ref
T1546.003 Windows Management Instrumentation Event Subscription TA0003 TA0004
  • Event Triggered Execution: Windows Management Instrumentation Event Subscription - Turla has used WMI event filters and consumers to establish persistence. · ref
T1546.013 PowerShell Profile TA0003 TA0004
  • Event Triggered Execution: PowerShell Profile - Turla has used PowerShell profiles to maintain persistence on an infected machine. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence. · ref
T1547.004 Winlogon Helper DLL TA0003 TA0004
  • Boot or Logon Autostart Execution: Winlogon Helper DLL - Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. · ref
T1553.006 Code Signing Policy Modification TA0005
  • Subvert Trust Controls: Code Signing Policy Modification - Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges. · ref
T1555.004 Windows Credential Manager TA0006
  • Credentials from Password Stores: Windows Credential Manager - Turla has gathered credentials from the Windows Credential Manager tool. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration. · ref
T1562.001 Disable or Modify Tools TA0005
  • Impair Defenses: Disable or Modify Tools - Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products. · ref
T1564.012 File/Path Exclusions TA0005
  • Hide Artifacts: File/Path Exclusions - Turla has placed LunarWeb install files into directories that are excluded from scanning. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access. · ref
T1567.002 Exfiltration to Cloud Storage TA0010
  • Exfiltration Over Web Service: Exfiltration to Cloud Storage - Turla has used WebDAV to upload stolen USB files to a cloud drive. Turla has also exfiltrated stolen files to OneDrive and 4shared. · ref
T1583.006 Web Services TA0042
  • Acquire Infrastructure: Web Services - Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration. · ref
T1584.003 Virtual Private Server TA0042
  • Compromise Infrastructure: Virtual Private Server - Turla has used the VPS infrastructure of compromised Iranian threat actors. · ref
T1584.004 Server TA0042
  • Compromise Infrastructure: Server - Turla has used compromised servers as infrastructure. · ref
T1584.006 Web Services TA0042
  • Compromise Infrastructure: Web Services - Turla has frequently used compromised WordPress sites for C2 infrastructure. · ref
T1587.001 Malware TA0042
  • Develop Capabilities: Malware - Turla has developed its own unique malware for use in operations. · ref
T1588.001 Malware TA0042
  • Obtain Capabilities: Malware - Turla has used malware obtained after compromising other threat actors, such as OilRig. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - Turla has obtained and customized publicly-available tools like Mimikatz. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.